Privacy Policy

The data controller for your account is the operator of SwimData. For privacy questions or requests, contact privacy@swimdata.net. For general account help, email info@swimdata.net.

Accounts are for people aged 18 or older (swimmers managing their own profile, parents/guardians, or coaches). We do not offer accounts directly to children. If you add a swimmer profile for a minor, you confirm you have authority to do so and should use a display name or nickname rather than the child's full legal name where possible.

• Account data: name, email address, password (stored as a secure hash), optional profile image, role (swimmer, parent, coach), and timestamps of age/terms confirmations.
• Swimmer profile data: display name, date of birth, sex, optional club and city, anthropometrics (height, weight, wingspan, shoe size, parental heights, puberty stage, growth spurt), and training load fields you choose to enter.
• Performance data: personal bests, swim times, meet history, goals, saved race analyses, and files you upload (CSV or images for time extraction).
• Derived & AI outputs: analytics, charts, cached AI interpretations, and reports generated from your data.
• Wearable data (optional WHOOP):if you connect a WHOOP account to a swimmer profile, we import profile, body measurements, recovery, sleep, strain, workouts, and related wellness metrics from WHOOP's OAuth API. This feature is currently limited to authorised admin accounts. See WHOOP wearable integration below.
• Technical data: session cookies required for sign-in, server logs, preferences stored for your account (e.g. analysis layout), and an approximate country derived from your IP address when you use the site (stored as a two-letter country code for operations and support — we do not store your full IP address in your account record).

• Contract: to provide the service you sign up for (accounts, profiles, analysis, exports).
• Legitimate interests: to secure the platform, prevent abuse, improve reliability, and understand where our users are located at a country level for support and product planning (balanced against your rights).
• Consent: optional features that require your explicit agreement before we process data — including connecting a WHOOP wearable account to a swimmer profile.

If you choose to connect WHOOP, you will be shown a detailed summary of the data categories we import and must tick an explicit consent checkbox before you are redirected to WHOOP to authorise OAuth access. Connection is voluntary and can be withdrawn at any time by disconnecting WHOOP on the swimmer profile page (which revokes our API access where possible and deletes imported WHOOP data from SwimData).

WHOOP metrics are generally delivered after the athlete completes a sleep cycle — they are not a real-time medical feed. Use them as training-load context alongside pool performance, not as medical advice.

• What we import:the following categories from WHOOP's public OAuth API for the linked member account:
  • Account & profile: WHOOP user ID, email, first name, and last name; Body measurements: height, weight, and max heart rate.
  • Recovery & vitals: Recovery score (0–100%); Resting heart rate and heart-rate variability (HRV / RMSSD); Blood oxygen (SpO₂) and skin temperature (when scored by WHOOP).
  • Strain & physiological cycles: Daily strain (0–21), energy (calories), and cycle timing; Average and maximum heart rate per physiological day.
  • Sleep: Sleep performance, efficiency, and consistency; Sleep stages (awake, light, deep/slow-wave, REM) as duration totals; Respiratory rate, sleep need, disturbances, and nap sessions.
  • Workouts & activities: Sport/activity type, start and end time, and activity strain; Average and maximum heart rate, energy, distance, and altitude; Heart-rate zone durations per workout.

  We do not import continuous heart-rate streams, raw sleep signal data, or other WHOOP app-only features outside WHOOP's public OAuth API.

• OAuth scopes: we request offline read:profile read:body_measurement read:recovery read:cycles read:sleep read:workout. You approve these on WHOOP's authorisation screen. If we expand scopes or this policy materially, you must disconnect and reconnect (and re-tick consent) so the athlete can approve the updated access.
• Why: to provide training-load, recovery, sleep, and activity context alongside swimming performance data on the relevant swimmer profile.
• Who can see it: imported WHOOP data is stored per swimmer profile and is currently exposed only to authorised admin accounts on SwimData (not all platform users).
• Lawful basis: your explicit consent (Art. 6(1)(a) GDPR; where applicable, Art. 9(2)(a) GDPR for health-related metrics). We do not start the OAuth flow unless you tick the consent box immediately before authorisation. We record the consent timestamp and policy version on the connection.
• Who processes the data: SwimData stores imported metrics in our database (see processors below). Access and refresh tokens are encrypted at rest. WHOOP, Inc. processes data under your WHOOP membership and developer OAuth terms when you sign in on their site (United States).
• Minors: if the swimmer is under 18, you confirm you have authority to connect their WHOOP account and to consent on their behalf where required by law.
• Retention: WHOOP tokens and imported snapshots (recovery, sleep, workouts, and profile fields) are kept until you disconnect WHOOP for that swimmer, delete the swimmer profile, or delete your SwimData account. Historical imports may be retained for up to roughly one year unless you disconnect sooner.

We use trusted service providers to run SwimData, including:

• Hosting and deployment (e.g. Vercel)
• Database hosting (e.g. Neon Postgres)
• Authentication (email and password)
• AI providers when you use features that generate interpretations (only the data needed for that request)
• WHOOP, Inc. — when you opt in to wearable integration, OAuth and API calls to retrieve profile, body measurements, recovery, sleep, strain, workouts, and related metrics (United States)

Some providers may process data in the United States or other countries outside your own. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for international transfers.

We retain your data while your account is active. If you delete swimmer profiles or your account, associated performance data is removed from our systems subject to backup retention cycles. We may retain minimal logs for security for a limited period.

Depending on where you live, you may have the right to:

• Access a copy of your personal data
• Rectify inaccurate data
• Request erasure ("right to be forgotten")
• Restrict or object to certain processing
• Data portability (machine-readable copy)
• Withdraw consent where processing is based on consent
• Lodge a complaint with your local data protection authority

You can download your data or delete your account anytime from Account in the app menu (settings page). Disconnecting WHOOP on a swimmer profile removes all imported wearable data (recovery, sleep, workouts, profile, and tokens) for that profile. You may also email privacy@swimdata.net. We will respond within the timeframes required by applicable law (typically one month).

We use HTTPS, access controls tied to your account, and industry-standard password hashing. No method of transmission or storage is 100% secure; please use a strong, unique password.

The service is not directed at children under 18 for self-registration. Parents, guardians, and coaches must manage minor athlete data responsibly and only with appropriate permission.

We may update this Privacy Policy from time to time. We will post the new version on this page and update the "Last updated" date. Material changes may be communicated by email or in-app notice where appropriate.